Krebs on Security

In-depth security news and investigation

Microsoft Responds to Critics Over Botnet Bruhaha

Microsoft’s most recent anti-botnet campaign — a legal sneak attack against dozens of ZeuS botnets — seems to have ruffled the feathers of many in security community. The chief criticism is that the Microsoft operation exposed sensitive information that a handful of researchers had shared in confidence, and that countless law enforcement investigations may have been delayed or derailed as a result. In this post, I interview a key Microsoft attorney about these allegations.

Since Microsoft announced Operation B71, I’ve heard from several researchers who said they were furious at the company for publishing data on a group of hackers thought to be behind a majority of the ZeuS botnet activity — specifically those targeting small to mid-sized organizations that are getting robbed via cyber heists. The researchers told me privately that they believed Microsoft had overstepped its bounds with this action, using privileged information without permission from the source(s) of that data (many exclusive industry discussion lists dedicated to tracking cybercriminal activity have strict rules about sourcing and using information shared by other members).

At the time, nobody I’d heard from with complaints about the action wanted to speak on the record. Then, late last week, Fox IT, a Dutch security firm, published a lengthy blog post blasting Microsoft’s actions as “irresponsible,” and accusing the company of putting its desire for a public relations campaign ahead of its relationship with the security industry.

“This irresponsible action by Microsoft has led to hampering and even compromising a number of large international investigations in the US, Europe and Asia that we knew of and also helped with,” wrote Michael Sandee, Principal Security Expert at Fox IT. “It has also damaged and will continue to damage international relationships between public parties and also private parties. It also sets back cooperation between public and private parties, so called public private partnerships, as sharing will stop or will be definitely less valuable than it used to be for all parties involved.”

Sandee said that a large part of the information that Microsoft published about the miscreants involved was sourced from individuals and organizations without their consent, breaking various non-disclosure agreements (NDAs) and unspoken rules.

“In light of the whole Responsible Disclosure debate [link added] from the end of Microsoft this unauthorized and uncoordinated use and publication of information protected under an NDA is obviously troublesome and shows how Microsoft only cares about protecting their own interests,” Sandee wrote.

Given the strong feelings that Microsoft’s actions have engendered in the Fox IT folks and among the larger security community, I reached out to Richard Boscovich, a former U.S. Justice Department lawyer who was one of the key architects of Microsoft’s legal initiative against ZeuS. One complaint I heard from several researchers who believed that Microsoft used and published data they uncovered was that the company kept the operation from nearly everyone. I asked Boscovich how this operation was different from previous actions against botnets such as Rustock and Waledac.

Boscovich: It’s essentially the same approach we’ve done in all the other operations. The problem that I think some people have is that due to the type of operation, we can’t have the entire community involved. That’s for several reasons. One is operational security. The bigger the number of people involved, the more likely is that is someone will make a mistake and say something that could jeopardize all of the work that everyone has done. Also, we’re making representations to a federal court that this is an ex-parte motion and very limited people know about it. If you have multiple people knowing, and the entire security community knows, let’s say we submit declarations from 30-40 people. A court may say, ‘Well there’s a lot of people here who know about this, so isn’t this information that’s already publicly available? Don’t these people know you’re looking at them already?’ We’re really asking for an extraordinary remedy: an ex-parte TRO [temporary restraining order] is a very high standard. We have to show an immediate threat and harm, ongoing, so much so that we can’t even give the other side notice that we’re going to sue them and take away their property.

The other concern is more operational. When I was in the Justice Department — I was there for just shy of 18 years — we even compartmentalized operations there. Information was shared on a need-to-know basis, to make sure the operation would be a success and that there wouldn’t be any inadvertent leaks. It wasn’t because we didn’t trust people, but because people sometimes make mistakes. So in this operation, just like the others, we engaged with industry partners, academic partners, and some of those who wished to be open, and others who preferred to do things behind the scenes.

Krebs: How do you respond to the criticism that Microsoft used and published data that came from core members of the security community who had placed certain restrictions on the use of that data — specifically that permission be obtained before it is shared or published?

Boscovich: Whenever we cooperate with the research community and industry partners, the assumption is that the information they provided is either their own, or is freely available amongst them for the purpose of securing the internet. They felt, we believe that all of this information should be used for the purpose for which it was intended: And that is to try to solve the problem and protect people who are being victimized by crime.

Now, there seems to be some allegations that there was information that one or two people provided to the research community –which is very large by the way — which for some reason they didn’t want to be acted upon. I don’t know what that means, but we only ask for information from our industry or academic partners that they believe is their own or is being freely shared in the community. The purpose for which we ask for this information is to reduce threat to consumers and people being victimized by crime. If there are any allegations that somehow Microsoft knew this was privileged information, the answer is absolutely not. We respect the rights of others and the information we received from academic or industry partners…the representation was made to us that it was either their own work product, or it was made available by other researchers and that was freely shared amongst them to be used for this type of purpose.

Krebs: The Fox IT researcher accused Microsoft of disrupting law enforcement investigations into miscreants using ZeuS. Is that true?

Boscovich: Looking at the Fox-IT blog, I’m disappointed by the fact that they talk about ongoing investigations. There’s no way for us to know whether there’s an ongoing criminal investigations from law enforcement. There’s a litany of legal proscriptions and prohibitions in having that kind of information, so I’m not sure how they would know. But obviously we don’t. They omit the fact that in all of these operations, the objective is to notify and clean the victim’s computers. In addition to disrupting, we want to help clean these computers.

Krebs: And what about the criticism that Microsoft’s actions actually took down legitimate sites?

Boscovich: There were some mention that there were legitimate web sites that went down. But you know, the law actually provides a mechanism on that. We put up a cash bond, and we explained to the court that we have a process in place in the event that a legitimate Web site goes down. There were several that were legitimate, but they had been compromised. Our people worked with those sites, and they were not aware they were compromised. And although they were down an hour or two or three, they would probably have never known they were being used by criminal organizations.

Krebs: Some people have been critical of Microsoft’s actions as “vigilante” activity, as participating in the sort of activity that should be left to the authorities. But Microsoft has taken a slightly different approach, attacking this problem through the civil courts. Is there a conflict here, between these two approaches? Isn’t there the possibility that Microsoft’s actions on the civil side could derail progress of law enforcement investigations working the criminal side?

Boscovich: Our strategy, which is a disruptive strategy, came from the idea that there are two ways to tackle this problem; you have the very traditional law enforcement approach, which its ultimate goal has always been that you have to have a well-identified target and arrest that person. We’re not saying necessarily that that’s a bad model. For years and years we fought drug dealers by trying to stop the drugs or stop the distribution. Until we said, why don’t we disrupt them differently by going after their flow of money? And you saw this wave of legislation which came about as anti-money laundering. And we began doing money laundering prosecutions, even though that particular case had absolutely no drugs involved at all, but we were able to show some kind of taint.

Taking that idea, we were able to literally start hitting the criminal enterprises and drug dealers where they really felt it — in their profits. Even though sometimes we didn’t get many arrests, we got seizures, forfeited accounts, forfeited cars, houses. Instead of trying to get the guys behind this, we said why don’t we just strike them where it’s going to hurt them the most? And that is their criminal infrastructure — the botnets — which really allow them to leverage everything they’re doing and make a profit out of it. So we came up with Project Mars and the disruptive strategy.

Krebs: Is it working?

Boscovich: I’d say it is working. Recently, an article came out in the Wall Street Journal that mentioned a huge reduction in spam as a result of botnet takedowns. We’ve taken down Waledac, Rustock and Kelihos. All of them basically spam bots. But that disruptive activity has dented the amount of spam that gets sent out. Even today. And I think that’s a good proof point that the disruptive approach works if you give it time and keep going at it.

What we wanted to do with Zeus was continue with the disruptive approach, but in this case we didn’t target one particular bot. We wanted to make our first assault a much broader assault, and that’s why we went after a particular family of malware, all of them with the same code base, so that we could bring it all together under one legal document, which is under a RICO statute. Kyrus did the malware analysis and found that all these versions bubble back up to the same core code. We wanted to disrupt that business model as much as possible. We knew we were not going to fully eliminate one bot. That was never our intention. And I think we were pretty clear that this was the first salvo to this whole group, to introduce a certain amount of entropy in there, and at that point to try to start increasing the costs of them doing business.

Krebs: It seems like the core dispute here is what should be done with information that is unearthed by security researchers, that the key question is how or who decides when and whether information about certain bad actors should be acted upon. Would you say that’s accurate? And where do you come down on that?

Boscovich: Microsoft is a pretty big company, and a lot of the stuff we do is based on our own research as well. But we really want to see other companies that have appropriate standing do their own actions. We really believe in the disruptive strategies. We believe that all of this information that’s out there…and the community does amazingly good work in tracing this stuff…but there comes a point in time that you have to action on the information. All this information is great, but if you don’t action on it quickly, that data either becomes stale or it moves. We really believe there are people in industry and the academic and security community that want to have an impact and want to work with us.

Krebs: Were you aware that a number of people Microsoft named in its latest John Doe complaints are considered the core group of folks that the Justice Department has pegged as the guys behind the operations that cost businesses tens of millions of dollars over the last few years?

Boscovich: Based on the investigation that we uncovered so far, we feel very confident that the people we named, with the exception of a few guys that were lower-level players…we feel confident we’ve named the right individuals involved. I really can’t give you all the information we have, other than what’s outlined in the pleadings. But I think the claim that somehow a civil action will destroy all these criminal investigations…I think that’s a fallacy, and near-sighted, and it shows I think a certain naiveté based on not being in that world and not understanding how criminal investigations operate.

Krebs: Can you talk about anything you’ve learned since this action, in terms of the actors involved?

Boscovich: There’s more information that’s coming in, and I feel confident that over the next several weeks and months that will translate into additional updates to the case, and we may amend our complaint. We also are happy to inform that as a result of being able to sinkhole the [ZeuS control] IPs, we can get the location of these infected computers, and work with the community to get this information out. We believe we may be able to get this information out as early as sometime next week.

Krebs: The Fox IT folks and others in the industry have characterized this initiative as little more than a clever public relations stunt by Microsoft, designed principally to make the company look like it is protecting customers from bad guys. How do you respond to that?

Boscovich: It’s not a black or white scenario like the Fox-IT people put it. I’ve been doing this for about 17 years 10 months, I know what very complex criminal investigations [are] and what works well and what works not as well. It’s appropriate and beneficial for both criminal and civil parallel proceedings, because they complement each other.

From a company perspective, and this goes to the PR allegations, of course every corporation is a for-profit corporation. We’re not a charitable institution, obviously. But there are some times when it makes good business sense to actually do good in the community as well. It’s one of those intersections where business and being a good corporate citizen actually complements each other. I’m not going to be disingenuous and say we don’t have a benefit in doing this. But I can also tell you with a straight face that we do it also because we want to do the right thing, we want to protect our customers, and we want to protect people going on the Internet.

We’re sort of like the emergency room physicians: When someone comes in and they’re bleeding profusely, you have to stabilize the patient and figure out how to stop the bleeding, so that the next guy who comes — the surgeon — who’s waiting in the operating room, is able to save the life of that person. From a civil perspective, we go in and want to help those victims. We want to stop the bleeding, save as many people as we can and clean their computers.

The question we have to ask ourselves is when you have information about millions of people who are currently victims of crimes because their systems are compromised, do you do the emergency room thing to try to stop the bleeding and try to clean those peoples’ computers so they continue not to be victimized? Or do you do nothing with the information? I think we’ve been fortunate in working with academic and industry partners to share information and address that problem.

In terms of identifying the actual cause, getting to the root, the defendants, all this information, we’re going to pass it on as we have in the past to law enforcement. But I think their investigation will be enriched by a lot of things we can do legally simply because we are a victim and we have access and resources to investigate these things. And then when we pass it along, I believe they’re in a much better position to drill down and use the legal processes that they have — which we do not have — to follow things such as money and financial trails and go overseas to international agreements.

Krebs: With the benefit of hindsight, what — if anything — would you do differently about this operation, if you had to do it all over again?

Boscovich: That’s a good question. I was a little bit taken aback by some of the criticism in light of fact that nobody from fox-it called us to discuss or explain their concerns, or to why some decisions were made legally. We always want to find ways to work with the community and the sharing of information is crucial to that. If you notice, every time we do one of these we have different academic or industry partners that work with us, and we love to rotate those who do work with us. And the ones who want credit, we really try to make sure they get credit where it’s due. We hopefully will try to explain this better, probably at the next DCC [Digital Crimes Consortium, an annual, invite-only Microsoft conference], that we’re on the same team. I think we want the same objectives, so hopefully we can bridge that gap and continue the work we’re doing, to clean these computers, and to disrupt that ecosystem that is being utilized by the criminals.

Krebs: In a nutshell, what would you like to get across or communicate better about this action?

Boscovich: Hopefully, we’ll be able to explain that there are a lot of legal issues involved, and a lot of things we can and cannot do. Some of them many people may not be aware of. Which is understandable: they’re not lawyers. These guys are technical in their field. In the same way I can’t reverse engineer malware, but I’m pretty adept in understanding what are the limitations and potential liability issues when you do these operations. I hopefully can explain that aspect to them, so they have a better understanding and appreciation that when we do things, why we do them the way we do.

This entry was posted on Monday, April 16th, 2012 at 1:49 pm and is filed under A Little Sunshine.
You can follow any comments to this entry through the RSS 2.0 feed.
Both comments and pings are currently closed.

Seems like the entire disagreement over what to do with the information is because too many people were involved in the first place and someone’s feelings got hurt. Keep the number of people involved to a small number and it’ll be easier to reach agreement on when to act on the shared information. Good information with no action really is just as useless as bad information.

“Good information with no action really is just as useless as bad information.”

This is not the question… They used private information from another researchers for their benefits and then they published all (Oh, we are very cool… we have all data of the badguys…). And ALL without asking to the sources. Is this OK?

This information was used in a lot of investigations, and now, of course is impossible to use.

As a example, what do you think that criminals did? Changed all mails,jabbers,icq, names, etc… now impossible to track them through their nicks, because they changed to others… now, investigations stopped, and criminals smiling.

No, I don’t think sharing Private Information is OK. That’s exactly why if you want to keep it Private you don’t share it with many people to begin with in the first place because eventually it’ll become Public Information.

If a woman is pregnant and she tells every one she knows but then asks them to keep it private is it really private information anymore? I’m not necessarily speaking to the specifics of this case…just in general principles when it comes to OPSEC.

But wouldn’t that then mean it falls to whomever shared the information with Microsoft? What were they going to do when they got this information but do something like this? While they’re building a network with Law Enforcement for physically taking down servers, they still aren’t much use for performing online tracking. So if someone shared this information with them, regardless of whether they expressed confidentiality, MS was going to go ahead with the course of action that they believed it was right.

Personally, I agree that they should have confirmed that their actions wouldn’t impact others. But if there were a large number of people involved, then confirming nobody else is doing something can reveal how many are actively working on the case and tip the hand of all to the criminals. And yes, of course, it’s also a PR boost for them when they do something public like a take down.

I would hope it doesn’t freeze information sharing. It seems that they do need to spend some time thinking about how much to share and with whom. Which is unfortunately, time and brain power that could/should be spent chasing the criminals. But loose lips sink ships, and in the end, it’s still almost always user error.

Reading through all these comments it sure seems like the main issue is because of the extra information Microsoft made public (nicks, jabbers, icqs). No-one is upset about their actual actions (takedown, or seizures of domain/servers), since this of course is generally a good thing.

It appears if they were to continue down this disruption path as long as that type of extra information was kept private no-one would be complaining (security researchers or there-other).

Am I wrong?

Aside: I must admit the way it was done definitely is a PR stunt even if they had good intentions… there is no reason to make all details public or create a video about the ordeal unless you are trying to do something besides disrupt the botnet (I.E.: make your company look nice for the media). If cleaning pcs and hurting the bad guys was Microsoft’s endgame they could’ve accomplished all of that without any bad press if they just kept their actions to themselves and those who need to know. But that is the exact opposite of how they decided to go about it, so of course it isn’t going to sit well with everyone.

Yes, you are. Providing that information publicly for a simple operation like a few PR driven takedowns burns the data for LE action that would accomplish far better and far more difficult ends — arrests.

I take Microsoft’s side on this one. Perhaps there are communication improvements to be made, but it’s Microsoft that’s actually going into battle to take down these sites. I get the feeling some of these researchers need to have their egos stroked and yes, Microsoft and the DoJ is right to be concerned about leaks. You would wonder if any of these guys had ever heard of the “need to know” principle.

As if nobody did that before, we usually just don’t talk to the press about it (so much for the ego). And over those many years we noticed that taking down sites does not work, the bad guys expect that and have a backup strategy, the botnets are back in operation within a few hours.

Thing is… what did Microsoft’s action do? After the take down, the same group was still running the lastest and greatest bot net. Banks are still seeing account take over attempts from Zeus Based malware, nothing really changed. If anything, Banks saw an uptick in the fraud attempts. (Speaking to multiple Bank fraud people is where I get that info). So what gives? What is the endgame here?

– Uptick in fraud after the action
– Only older C&Cs (and some for Spyeye!) seized
– Current information on actors now made public (think they will change that now ?)
– Microsoft gets PR and makes a video
– State of Fraud is exactly the same as before, and now bad guys can look at the public filing to determine what information the good guys have.

So I am confused on the endgame. Granted maybe we don’t need to know, but at this point, no one is sharing and all we are seeing is negative results.

I think the “security community” who are upset because Microsoft took action, when they did not, is missing the big picture.

First, Zeus has been around for years. If you haven’t gathered enough evidence to prosecute then, really, are you going to?

Second, international law in prosecuting criminals using the Internet is pathetic. They know it which is why Zeus has existed for so long and has been responsible for mass losses from banks all around the world.

The MS lawyer says it correctly that the only way to tackle this problem is to hit them where it hurts, hit them hard, and hit them frequently. Thousands of Zeus infected computers are not sharing PII data because MS did something rather than trying to find some Eastern Europe criminal that will never be prosecuted.

I think the “security community” who are upset because Microsoft took action, when they did not, is missing the big picture.

–> Point one: Security community has taken action, just not made a movie/you tube video about it.

First, Zeus has been around for years. If you haven’t gathered enough evidence to prosecute then, really, are you going to?

–> Point two: ZeuS is a kit, not a single crime actor/botnet. It’s source has been publicly released. You can’t prosecute a botnet. You have to get the people running it. And there are multiple iterations. This action by Microsoft targeted the simplest of the C&C servers (not touching the current, most sophisticated ones) while naming some of current leads on current actors. Result: taking down old infrastructure and passing off good info to bad guys about what good guys know.

Second, international law in prosecuting criminals using the Internet is pathetic. They know it which is why Zeus has existed for so long and has been responsible for mass losses from banks all around the world.

–> Point 3: Please see previous about. Zeus is greek god, ZeuS is a crimeware kit, neither exist as a singular entity that can be taken down by a filmed civil filing on a few old servers.

The MS lawyer says it correctly that the only way to tackle this problem is to hit them where it hurts, hit them hard, and hit them frequently. Thousands of Zeus infected computers are not sharing PII data because MS did something rather than trying to find some Eastern Europe criminal that will never be prosecuted.

–> Point 4: “hit them where it hurts” but this action really didn’t hurt them, and it provided some good info to bad actors. Where is the upside? Bad guys are still taking money. That hasn’t changed, they are laughing as they now have information to help their own opsec, yet these old servers are filmed being “taken down” in a You Tube video put out by Microsoft. Where is the upside I ask again.

1. While I am also part of the “security community” I partially slant for being narrow-minded, I don’t think this operation for MS was all about making a YouTube video. I think we all have to agree that MS had good intentions regardless on where you stand with the rest of the operation.

2. As I mentioned, I am also part of this community. To expand on your point from another viewpoint, do you really think that catching a small group of 16 year olds is going to make a dramatic difference to the expansive ZeuS botnets? I mean even today, “Sabu” was arrested and turned into an informer and did all the LulzSec and Anonymous people/groups just give up? While I will admit there is no silver bullet here, to use an analogy, I think busting down your door and taking you away (leaving your house intact for the next person to live in) is far weaker than knocking down your house and making you go find a place to rebuild it from scratch costing you time, money, and effort.

3. I don’t think you rebutted my internation law point so we will just agree it is poor. Since you are trying to arrest and convict people with these laws, they need to be a lot stronger and processes need to be streamlined a lot better to be effective.

4. Sorry, but as I said, there is no silver bullet but there are positives to this. Specifically, the one’s I pointed out. In addition, you reference that the “good guys” told the “bad guys” what they are doing. Sorry again but they already know. They are not that stupid to not have an intelligece collective to watch what is happening out on the Internet related to “good guy” activities. Hence why MS kept it so quiet.

In conclusion, as I have repeatedly said, there is no silver bullet here but I think this was a far more positive activity then what is being put forth by Fox-IT.

Frustrated: Thank you for your reply and for keeping the discussion civil. I appreciate that as does people who are really trying to understand this situation.

I’ll come back to the numerical points.

1. I at this point don’t understand the intentions of Microsoft. That has and will continue to be the intention of my posts. I fail to see the upside so far, knowing and talking to people inside of Banks and the “outcome” that this operation entailed has not shown a positive affect, however it did produce negative affects in the way of providing bad guys information about what the good guys know. I am not “anti” Microsoft or the operation, but I don’t want to give the benefit of the down on the intentions of the operation without knowing more info.

2. I don’t mean to come off as blunt or flippant, but this group is not a group 16 year olds. Thus taking them out isn’t a simple operation, it’s a complex operation that requires time, coordination, and multiple industry partners working together. While Microsoft’s operation may be construed as “action” it was fairly unilateral. in it’s scope. Hurting current operations, operational security of those preventing the fraud from these groups, and generally reversing progress that has been made. While these negatives imply a “view” of this operation, I am not opposed to making sacrifices to further an investigation, however, those sacrifices need to be made to with a strategy for positive outcome. I am hoping that’s what this operation has done, but based on my contacts, banks are NOT seeing a positive outcome, thus I question the efficacy of this operation.

3. International law is hard, but progress has been made. It’s slow, but good stuff has happened. A cowboy approach doesn’t move along the delicate approach that needs to be to had to get true cooperation.

4. While the bad guys are smart, they are not all knowing. There is information that was provided in this release that was not public knowledge, and more importantly, information that is was EXTREMELY unlikely that bad guys knew good guys knew. With them knowing this information, they will very likely change tactics requiring the community and law enforcement to start from scratch in a lot of areas. I wish I could go into more detail, but at this time I can not.

The approach of Microsoft and Fox IT are odds. Is either 100% correct? I am not sure, I am not taking sides, however, I do know that the approach of Fox_IT and others in the community does lend to a more cautious approach that doesn’t produce the outcry that we are seeing here. A common misconceptions is those of the Fox-IT mindset are not doing anything to prevent fraud. Without going into a lot of details, LOTS is being done by those folks to help prevent the fraud going on. It’s hard to realize that, as they do not publicize it. To be clear: Microsoft approach vs. Fox-IT approach does not equate to “Action against Criminals” vs. “Doing nothing” instead it equates to “Taking some action, and being public about it” vs. “Taking some action and not being public about” we need to be clear on that distinction.

How can taking Zeus servers offline not be a positive effect? Yes it is a kit and there will be more strains and more botnets to be dealt with, but the other side of the coin is this botnet takedown spurned a lot of interest and action in the non-security community. I understand MS should do a better job with communication and keeping confidential information private, but if anything this signaled a need for more takedowns, not less.

The question isn’t if taking a ZeuS Server off line is positive. The question is, given the targeted servers (Older servers, not associated with current account take over fraud) and given the “cost” (providing current information on know actors involved in multi-million dollar fraud NOW using infrastructure that was NOT affected by the take down). Was the cost worth it to take down these older servers? Do we come out ahead because some old out of date ZeuS servers are no longer running vs. the amount of information provided to the criminals? That is the question.

Problem is, you can’t look at an action in a vacuum. Is taking a malware server down good? By itself, the statement seems to be true all the time. But what if taking that server down adversely affects operations that prevent, investigate, and prosecute cyber crime. Is that statement true then?

What I am asking here is what is the positive affect? Fraud has not decreased, if anything upticked with in the banking area. And now we lost leads on the jerks running the operations. What was gained? Yes, some servers are down, but these servers are a dime a dozen. The cost everyone talks about that criminals have to put a new server is minuscule compared to the money they earn.

Thanks for the interview, Brian. Unfortunately, this man has no idea what he is talking about and is the mouthpiece for Microsoft’s agenda. If the idea is to destroy the ZeuS network, this did not do it, we have an uptick in ZeuS activity since this happened. If the idea is to prevent customers from getting ZeuS’d in the first place, no one is better positioned than Microsoft to create fixes to the OS and browser , the key ingredients in the fraud process. Taking down two servers did not do anything but expose intelligence channels law enforcement was using to build criminal cases against these fraudsters and generate a press release for Microsoft.

b.s. what criminal cases? Where are they all? This has been going on for how many years now? The “security research community” is really just a bunch of individuals and organizations making a profit from selectively sharing security information only when there is an opportunity to profit and/or enhance their image from doing so. To bitch about MS doing the same is frankly a bit humorous. I’m all for capitalism, we all need to eat, but it seems clear to me we aren’t going to solve this huge problem by hiring security researchers/vendors one-breach-at-a-time.

I am confused. Microsoft talks about operational security and not sharing with the community at large to not jeopardize the operation, yet people defending the actions of Microsoft claim that there there are no Criminal cases… “Where are they all?”

So Law Enforcement isn’t allowed operational security but Microsoft is? Once again, per my previous post, I am just looking for what the endgame is. I can’t see it, and there aren’t results yet. So please enlighten us on the endgame you are defending.

PS. I’d also be interested to hear more about your assertions related to the security research community. You are making a very specific claim against a large cross-section of individuals, and I am curious what is your basis for such a claim. Could it be a possibility that your experience in such an area really doesn’t position you to make such a claim due to lack of experience with a majority of these individuals?
I am not making an accusation, I just trying to understand the basis of your claim.

What I am defending is action over inaction; broad sweeping action over selective action. The end result may or may not have been productive in this case, I will grant you that, but I support it because I am tired of what I perceive as nothing.

“I’d also be interested to hear more about your assertions related to the security research community”

Well, my statement was a gross generalization, and to be fair I’m sure there are some exceptions. My basis for the claim is based on lack of results; on the reality that normal IT folks are living with today. On any given day, I can find malware that:
1) has no antivirus protection/detection
2) there is nothing “publicly” available about
3) multiple malware prevention and detection solutions are incapable of detecting. I won’t name names, but I’m not talking AV here.

The kicker is, these aren’t targeted attacks…it’s just “run of the mill” phishing crap. If the broader security community really had the best interest of the public in mind, why wouldn’t these security products have some better shared understanding of these attacks…hell a shared list of “bad actor” ip addresses would be a start? Even better, why isn’t there high quality, comprehensive threat intelligence available?

Like I said, I am not attacking Microsoft, just questing why… can’t see results in the positive, can see results in the negative… what am I missing?

As to your three points

1. Security research community != AV companies. I won’t go into a dissertation on how these differ, but do some research on the subject and I think you’d agree
2. False. Lots of a good publicly available information. Please check the Emerging threats mailing list and move on from there. Lots of great information about protecting yourself and your networks.
3. Yes, there is a lot of financial incentive for fraudsters to write undetectable malware. If you have a solution to this, please go ahead an patent it. If you do this, please invite me to your party at your billion dollar mansion.

There are many publicly available lists of badness out there, malware domains, IP, black lists of IPs with infection, etc. All designed to help you protect your network. Posting that these don’t exists and that Microsoft has now filled the gap isn’t factual.

False? Re-read what I said, it is as definitive as can be given my inability to memorize the entire Internets:-). I am well aware of emerging threats and other sources. They are good sources of threat information, but not nearly good enough.

“If you have a solution to this, please go ahead an patent it. If you do this, please invite me to your party at your billion dollar mansion.”

So your justification for your comments and Microsoft’s action stems from the failure of the Anti-Malware companies? It seems fairly limiting to lump the whole “Security Research” community into people who work for Anti-Malware companies, as I can assure you there are plenty of extremely technical and skilled researchers in many other fields that are doing everything they can to not only stop the infections, but more importantly stop the IMPACT they have on both the user and the industries targeted.

I do not think that the focus should be on stopping infections, those are going to happen pretty much no matter what we do, however we can stop the impact that those infections have on users and industry (for example to the financial industry). By disrupting these researchers, Microsoft has effectively screwed over the users by revealing intelligence information vital to stopping the effect of the infections (say that three time fast) and potentially causing the miscreants to change their M.O. right when we were potentially beginning to gain a better understanding of how they were operating.

Finally, trying to get a “bad actor IP list” is great, but without any context to the IP address information and also with the dynamic qualities of many home internet connections, that list would potentially be useless. Nevertheless, the known RBN lists, the spamhaus block lists, and various other black-lists should suffice for what you are looking for.

preferring action over inaction. That is all. I am fed up with seeing everyday malware bypass my millions of dollars in defenses. The justification for my comments could be summarized by the lack of results being produced. Just to clarify, I’m not talking about the broader security research community. I’m talking about malware research. That wasn’t clear in my earlier rant:)

“By disrupting these researchers, Microsoft has effectively screwed over the users by revealing.”

that seems logical, but I’m not buying it. We’re already screwed over, and I don’t see MS actions making that any worse.

“Finally, trying to get a “bad actor IP list” is great, but without any context to the IP address information …”

That is my point exactly. Why can’t we get context? Worst still, do any of you believe that emerging threats (for example) contains anything approaching the full list of know bad actors? Shouldn’t it be obvious that many in the security research community see threat intelligence as a competitive advantage? I don’t begrudge them that, but let’s not pretend we have sharing when we don’t.

“Nevertheless, the known RBN lists, the spamhaus block lists, and various other black-lists should suffice for what you are looking for.”

I was also surprised by how vehement the accusations against Microsoft were in this case. I think one of the misunderstandings is that certain security companies believe that when they share an interesting insight or identity, no one else already knew that information. Often there are half a dozen or more organizations who each think they have “exclusive” information that has also been independently discovered by others.

Do we “disrupt” or “monitor in place” is an on-going debate in the security researcher community. Some want to knock down everything as soon as they see it (I joke with some friends that they have built businesses on “destruction of evidence”) while others would be happy to monitor for a decade and never do anything to stop the flow of money to the criminals! The compromise that Fox-IT asks for is “ask the community if anyone objects, and THEN disrupt.” As Boscovich says, that’s not always possible. I see the value in both approaches, but I agree the “ask and THEN disrupt” model is preferred whenever operational security concerns allow it.

I appreciate the open dialogue that you are helping to bring about, Brian. Keep doing great work!

If you read my blog:
“The information was in exactly the same order and contained exactly the same amount of information on those john does that we and also a friendly information security company had provided.”

… Do you still think that someone would find exactly the same info in the same order, and one piece of info even being wrongly included because it leads to the wrong person? If you think that is possible, you probably also buy a lot of lottery tickets, because the chances of winning that are a lot larger

Michael- Gary’s point has some truth. And it’s also true that it’s awesome that a profit driven company like Microsoft is using its legal horde for something other than suing weaker parts of the supply chain for Android royalties to make up for the massive Windows phone fail.

But even better, your note just demonstrates that even while providing some good ends with their legal team, Microsoft is really a massive vampire squid sucking innovation and collaboration out of every industry effort it sees, including the “security community’s”. Embrace, extend, suffocate.

Brutes don’t respect gentlemen rule agreements. Take your work, take credit, get some PR to amplify their “grand contribution”. Repeat.

I have always been of the opinion that someone needed to step up to the plate to take some really bold action to take down the botnets. There are too many in the security community that simply study the issue and insist that the problem could be solved if one merely educated the users, but to me that seemed futile and like passing the buck.

Yeah, they stepped on some toes along the way. And I understand that there are a lot of complicated legal things that need to go on. If the white-hats had been able to write malware of their own that did nothing more than deactivate other botnets, I suppose the job would have been easier, but that sort of thing could never happen for obvious reasons.

Brian has done a lot of sleuthing that showed that not only are they keeping the same numbers for years, they are using them for personal purposes like online classified ads.

One of the problems these lovely folks have to deal with is that since they’re trying to stay anonymous, no one knows if they can be trusted. Someone offering his services on an online forum could be an undercover researcher, an FBI agent, or even the same scammer that ripped off a lot of people last week and got banned from the forum. Having a persistent icq is a way of building a reputation. Having to change it is a definite inconvenience for malware creators.

From an abuse desk perspective and a product liability point of view, when will YOU microsoft start to clean up YOUR infected installations around the world YOURSELF? – The truth is you rely on third parties to inform providers to identify connections to request your customers to scan their PCs with third party software to find or not find something on computers running your OS which is not capable to inform the users about the infection itself, leaving them alone with an inadequate process of re-installation…

Reminds me of the car industry and their security negations back in stoneage (People are stupid or drunk, cars don’t need crumple zone, seat belts and stuff).

Btw: When will you start an appropriate update-process for the millions of outdated infected systems in developing countries (and schools) and will YOU manage to clean your OS from DNSChanger infections running in half of Fortune 500s and U.S. government agencies with the extendet delay this time?

Don’t get me wrong: I appreciate that you started to do something… and hope you start to take on responsibility.

Some slick lawyer talk there. The issue is, this is just an event/action and many more will be needed to keep those pests at least a little bit under control. If one party (Fox IT and other Security Researchers) feel they have been wronged by the way Microsoft handled this and the future one or two (attempted) take-downs, they will stop sharing information with them. Everyone can talk until their mouths get dry about who was right and who was wrong, long term, effective collaboration and trust can only be achieved through consensus.

I think the unspoken story here is the “security community”. Anyone aware of the “community” should be aware that it is not, in general, a significant actor in criminal complaints. Law enforcement is the principal in those matters and generally does a terrible job in computer crime. Therefore, that component of this conversation is a tangent at best.

The truth is that the “security community” sells intelligence services and other “APT” data to their customers. It’s certainly reasonable that these companies and individuals might profit from their work. The unspoken rule is that the “community” can resell the information to their customers but not generally share it. However, Microsoft considers the Internet as their customer so privately securing a handfull of customers is non-sensical in that perspective.

Perhaps less cynically, there is often a case to monitor malicious actors rather than immediately acting. However, that doesn’t appear to be the case in this matter. Microsoft appears to have thoroughly analyzed the threat and acted to disrupt it entirely.

Of course the actors will return to similar behavior. However, the cost of doing business has increased and ultimately the purpose of any computer security action is to reduce compromised systems – which has been done.

Surely anyone can understand that seizing some servers which won’t contain any useful info and are easily replaced and thereby also offering the herders a chance to remove traces and stay ‘dark’, is utterly silly.

The first botnet was up only 24 hours later, 24 hours ffs.
What’s the use of such way of fighting ‘cybercrime/botnets/herders’? Microsoft has simply behaved poorly.
Crucial info blown+botnet-down-for-only-24-hours=close to failure.

What’s the point of locking the doors to your car and removing the keys from the ignition? Thieves will just break the windows and hotwire it anyway.

But by increasing the difficulty of committing a crime, by forcing criminals to change from the easy path of least resistance to other means of pursuing their crimes, you are forcing them to take risks they would prefer not to take. Some will be unwilling to take those risks and will not continue to participate. Others will continue, but will have to take risks that make it more likely they will be caught.

You won’t stop all crime by enforcing laws. But if you don’t enforce laws at all, criminals have so much freedom to operate that the rest of us can’t carry on daily activities without having to deal with them.

We have to rethink whether our main goal is to gather evidence so we can eventually prosecute criminals or whether it’s better to create disincentives to committing crimes in the first place.

As far as the folks who object to the info being blown, I don’t think your analogy holds up. IF Microsoft did blow crucial information, then it might be more like:

I found my stolen car and politely asked the thieves to clean it for me before I took it back. The thieves had another stolen car within 24 hours, and nothing about my car was of any use in tracking down the criminals or recovering the next stolen car.

Putting aside the actual botnet, the issue as I am reading it is that a private task force/group has been using a private mailing list to colloborate and share information regarding potential operators of said botnet. MS who were also on the mailing list then used this information to launch the take down but failed to abtain consent from those whom provided a lot of the information… this information was then made public in the court documents and any advantage researchers had in having this information as a path into the bot controllers activities is now lost. Hence, for 2 servers, MS sold out the security community along with giving the bad guys a great cache of information the researchers had on them… sounds like something they would…full disclosure only when it suits them

Do you really believe this? Perhaps the members of this group could help the public understand the good deeds they are doing. I mean, provide a list of the takedown actions that have occurred as a result; that sort of thing. Perhaps many of them occur behind the scenes? I don’t care if you create a sinkhole for the purposes of gathering intel and then selling your services, that isn’t providing the kind of public value I’m talking about.

“any advantage researchers had”

If the only advantage lost is the ability to sell threat intelligence, I’m not sure I care.

You have to understand that lists and working groups in the security community are usually made up of individuals, not the companies they work for. The trust is based on personal relationships. The sharing process is pretty informal, often companies just tolerate that employees share info unofficially or they even don’t know about it. The group policies differ, some groups restrict the info to only the people who are a member, some allow the info to be shared within the company a member works for. None that I know of allows the data to be resold directly, while you’re allowed to use it as intel and sell your own findings based on it as part of a product.

Now, not only companies selling data or intel are part of those groups, it also includes network operators, independent researchers and even LE. Everyday communication contains things like this:

A (research): Hey B, you have a XYZ controller on IP x.x.x.x on your subnet.
B (hoster): Thanks A, we’ll take care of it.
C (ISP): B, can you share logs so we can notify customers?
D (LE) privately to B: Please keep it running for know.

So much for a bit “behind the scenes”. You can’t say that research and data sharing in groups does not have an impact, I would state that it has a much higher impact than publicly taking down two boxes.

But.. as you can also see some of this information sharing touches legal grey areas. That to some degree explains why it happens behind the scenes.

I respect MS for trying to get domains sinkholed by using the law instead of talking to a friend who works at a registrar and is nice enough to just redirect the domain, knowing the customer won’t complain.

Good description of how the informal information sharing networks work, and good point about the resulting onesy twosy takedowns that result.

Does anyone really think that makes a dent in the problem?

Black holing one server address at a time is useless, a new one can be online just as quickly as the old one was taken out. It’s like King Canute trying to stop the tide, or trying to protect a seawall from a tsunami by bailing with a dixie cup.

Microsoft is tackling the problem differently, by trying to make it costly for the attackers and thus to shift the economic equation to be less favorable for the criminals. It’s a good idea, one that not many folks could implement. Kudos for the attempt.

If there are concerns about how it’s being done, how about focusing on how the basic strategy can be implemented in a way that resolves those concerns?

Good work Microsoft.
Finally somebody has got guts to do what needs to be done to protect the victims.
I really admire Microsoft for what they have done and I appreaciate that MS did it in a legal way.

If somebody tells you the secret your neighbour is drug producer – are you really binded by the promise you will not tell anyone? Are you sure you should not go to police and reveal this secret?

I understand that there will be always somebody harmed. “Kdyz se kaci les, letaji trisky.”
Question is what would the victims say and preffer if they would understand and bother.

There is no guarantee that Fox IT would win their case even if they would be gathering their data for one more year.

Wow. This is quite an interesting article. Thanks Brian for doing/publishing the interview, and thanks to all of you who have engaged in such a spirited discussion about this. I can see both points: Microsoft getting consensus before acting to ensure there were no other investigative compromises and Microsoft acting quickly to disrupt–despite the servers being ‘old’–and pacify to contain a threat.